Web login token CLI token Supported Apache Airflow CLI commands Unsupported Apache Airflow CLI commands

Accessing the Apache Airflow UI

After you create an environment, a link to the Apache Airflow UI is added to the Environments table in the Amazon MWAA console. The permissions to access the Apache Airflow UI in your environment are managed by IAM. To use the link to access the Apache Airflow, you must have the necessary permissions. To grant the permissions to a user or role, you must attach a policy similar to the Apache Airflow UI access.

In addition to attaching the necessary permission policy that grants access to the Apache Airflow UI, you must also use tokens in the request to access the UI.

Topics

Web login token
CLI token
Supported Apache Airflow CLI commands
Unsupported Apache Airflow CLI commands

Web login token

Use the CreateWebLoginToken API action to create a short-lived token that allows a user to log into Apache Airflow web UI. The generated token are valid for only 60 seconds.

The following is an example of a web server access URL that includes a CreateWebLoginToken token.


https://<webServerHostName>/aws_mwaa/aws-console-sso?login=true#<webToken>

Request


{
    "name": "<Name of the environment>"
}

Response


{
    "webToken": "<Short-lived token generated for enabling access
                  to the Apache Airflow Webserver UI>",
    "webServerHostname": "<Hostname for the WebServer of the environment>"
}

CLI token

Use the CreateCliToken API action to create a short-lived token that allows a user to invoke the Airflow CLI via an endpoint on the Apache Airflow Webserver. The generated token is valid for only 60 seconds after creation.

The following example POST request demonstrates how to access the Apache Airflow Webserver using curl:


export WEB_SERVER_HOSTNAME="<webServerHostname>"
export CLI_TOKEN="<cliToken>"
curl --request POST "https://$WEB_SERVER_HOSTNAME/aws_mwaa/cli" \
    --header "Authorization: Bearer $CLI_TOKEN" \
    --header "Content-Type: text/plain" \
    --data-raw "show_dag my_dag"

The response of a successful POST call contains the following JSON object:

Response


{
    "stderr":"<STDERR of the CLI execution (if any), base64 encoded>",
    "stdout":"<STDOUT of the CLI execution, base64 encoded>"
}

The following example demonstrates an additional method to create a CLI token:


# brew install jq
aws mwaa create-cli-token --name MWAAEnvironmentName | export CLI_TOKEN=$(jq -r .CliToken) && curl --request POST "https://$WEB_SERVER_HOSTNAME/aws_mwaa/cli" \
    --header "Authorization: Bearer $CLI_TOKEN" \
    --header "Content-Type: text/plain" \
    --data-raw "trigger_dag DAGName"

Supported Apache Airflow CLI commands

The following Apache Airflow CLI commands are supported when using Apache Airflow in an Amazon MWAA environment:

dag_state
delete_dag
list_dag_runs
list_dags
list_tasks
next_execution
pause
pool
render
run
show_dag
task_failed_deps
task_state
test
trigger_dag
unpause
variables
version

Unsupported Apache Airflow CLI commands

The following Apache Airflow CLI commands are not supported when running Apache Airflow in an Amazon MWAA environment.

checkdb
connections
create_user
delete_user
flower
initdb
kerberos
list_users
resetdb
rotate_fernet_key
scheduler
serve_logs
shell
sync_perm
upgradedb
webserver
worker

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Create an environment

Configuring environments